A federal government department has been blasted over its "appalling response" to a security researcher's report which found it has been exposing millions of Australians' personal information by leaving serious security flaws unchecked in a critical government website.

The vulnerabilities were found in the myGov website, which stores the private records of Australians, including their doctor visits, prescription drugs, childcare and welfare payments. The Tax Office is expected to make the site mandatory for electronic tax returns this year.

If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point.

Mr Cubrilovic said this was possible because of so-called "cross-site scripting" flaws on the site, which hackers could have potentially leveraged to hijack myGov accounts.

Advertisement

It is understood some of the flaws have been patched since the government was informed of them on May 2. How long the vulnerabilities have been in place is unknown, although the site has existed in various forms since 2009.

Mr Cubrilovic demonstrated how he was able to hijack this writer's myGov account and access, if linked, Tax Office, Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and National Disability Insurance Scheme information.

Some of the information accessible via my.gov.au when linking it to Medicare.

There is no suggestion a hacker exploited the vulnerabilities deemed "basic" and well-known for malicious purposes by security experts, although Mr Cubrilovic believes he probably wasn't the first to discover them on the site.

To have information stolen, Mr Cubrilovic said a myGov user wouldn't even have to click on a bad link. Instead they would just need to visit a website containing malicious code designed to extract specific information when visiting myGov. One such way this code could be inserted is via third-party advertisements appearing on Australian news websites, as occurred with SBS and the Herald Sun in 2011.

"If you were to score this [myGov] site out of 10 in terms of security it would be, like, zero or barely half a point," Mr Cubrilovic, of Wollongong, said.

E-health records, including prescription drugs, are also accessible using my.gov.au.

"You could get into anybody's account just by sending them a link either directly to the myGov website or to another website that … runs the exploit code," he said.

After reporting the vulnerabilities to the Australian government's chief technology officer John Sheridan, the issues were forwarded to the Department of Human Services, which manages the myGov website.

"The simplicity and the range of the vulnerabilities doesn’t give me any confidence that the data is in safe hands," Sydney software architect and IT security consultant Troy Hunt said.

"The fact that Nik was able to demonstrate a basic attack that could allow an attacker to access the victim’s account simply by them [visiting a site] is evidence that the data is anything but 'safe'."

Centrelink payments are also made available via my.gov.au.

After seeing the letter provided to Mr Cubrilovic about the issues, Mr Hunt labelled it an "appalling response" because it didn't address any of the findings made.

"The department’s response didn’t acknowledge any of these risks and by instead claiming that the data was 'in very safe hands' demonstrates that they don’t understand the severity of Nik’s findings…," Mr Hunt said.

"This basically proves that the data has not sufficiently been protected," he said.

"Each of the vulnerabilities identified should have been picked up by appropriate security testing. In particular, cross-site scripting is the most common vulnerability that we find during penetration tests."

"Most of these vulnerabilities shouldn’t have even been there in the first place," Mr Hunt added. "That the programmers were not aware of such fundamental security constructs is very worrying and certainly they should have been detected by security professionals."

"The class of the vulnerabilities ... are such that they are very basic and elementary," Mr Cubrilovic said. "I found them within a few minutes and anybody who is a security analyst who would have spent mere minutes on the website would have found the same bugs.

"It's a very serious issue. You've got millions of people who have their lives in terms of their Medicare, potentially their future tax records available online to anybody to be able to access."

In a statement, the Department of Human Services said access to myGov and its other online services was "audited and monitored" by the department. It also said it "routinely" subjected the myGov website "to independent security testing".

The department also repeated that records were "in very safe hands" and said that it would not discuss specific details of its "security arrangements" as, it said, to do so would "increase risk for our customers".

It said the Australian public could "rest assured" that any information provided to it about IT security was acted upon.

It did not confirm if all issues had been fixed or whether users would be advised. It also did not say whether it was certain that no accounts had been hijacked besides those belonging to this writer and the researcher.

This writer received two telephone calls from the department about the hijacking of the account, which resulted in the closure of linked accounts.

32 comments

What a appalling "duck for cover" by the myGov site admin managers!! The "independent security testing" must have been performed by the cleaners, rather than real security personnel. How can this be allowed to happen under any Government?? Especially when we are constantly being reassured by the weasel words quoted above, which hark back to the days of the Qld premier and his "don't you worry your pretty little head about that"!!

Commenter

TOnes48

Location

Sydney

Date and time

May 15, 2014, 3:45PM

I wonder if the government has breached any privacy laws here.

Commenter

Kim

Date and time

May 15, 2014, 4:12PM

Well according to Tony about that internet thingy good old Malcolm Turnbull invented it so it must be safe, because they are right into science and technology, you only have to look at the massive cuts to see that.

Commenter

Lost2

Date and time

May 15, 2014, 4:39PM

Relax, a group of self described 'adults' are in charge and we've been promised 'no surprises'..were it not for for the relentless boo boo's, I'd believe them, just before buying shares in whatever bridge they're offloading.or is that Medibank private? Hmm, I'm sure sacking half the public servants in Canberra and elsewhere will resolve these issues. Said no one with a brain, ever.

Commenter

Warwick

Date and time

May 15, 2014, 3:46PM

typical useless rant that won't help anything - a website built by another government and run by public servants is flawed and you believe its the Liberals fault - yawn... a restaurant burnt my pizza order last week, damn Liberals...

Commenter

TC

Date and time

May 15, 2014, 4:10PM

Warwick - maybe you would like to place the blame where it belongs - on those who made this this site happen - apparently without any consideration of their duty of care - Labor.

Labor have repeatedly fast-tracked work, claiming all sorts of benefits, and now they centralise all of our most personal information in an easy-to-access one-stop-shop with a wide-open front door for any hacker to do whatever they want. Now the taxpayer (that's us) will have to spend millions (if we are lucky - billions if we aren't) to fix another mess (of course costs could blow-out markedly in the event of any law-suits).

How many more Labor stuff-ups do we need to happen before Labor is seen by everyone as what it truly is - a disaster that creates other disasters, disasters for which we all have to pay the consequences?

Commenter

John

Location

Canberra

Date and time

May 15, 2014, 4:12PM

So many "quotes" in the article, hopefully responses haven't been re-interpreted and taken out of context by the author.

An apparent lack of a coherent response from the relevant agency is to be expected... the public doesn't need to know about the security controls deployed or being deployed, just know they have been exposed and now being worked on.

Regardless, the comments by so-called IT Security "experts" are, although possibly accurate, in general are by consultants hoping to drum-up business for themselves.

Commenter

Relax

Date and time

May 15, 2014, 5:05PM

@John, rusted on conservative I see.

The government is responsible for funding the work, they cannot be held accountable for how it is implemented. Under a normal applications development life cycle, security is definately one of the considerations that need to be addressed. In this case it appears that was not the situation.

Penetration testing is part of system development and maintenance and should be done before a system goes live or a change is made.

You clearly let your political bias get in front of the facts. Unless the government of the day is actually hands on, they cannot be blamed for for someone elses failings.

Commenter

Chuck

Location

Oz

Date and time

May 16, 2014, 11:28AM

Chuck

Such a critical system should have been the subject of adequate requirements regarding performance (including penetration issues), and it should have been tested to ensure it met those requirements before being commissioned. Given it doesn’t meet reasonable standards then either reasonable standards were not specified or it was not adequately tested. Either way, the government of the time is at fault. Given it started circa 2009 and didn’t meet reasonable standards then it is well and truly a Labor disaster. If you disagree then please provide details of your reasons as opposed to vague comment.

Commenter

John

Location

Canberra

Date and time

May 16, 2014, 5:10PM

Over to the newly-recreated Office of the Australian Privacy Commissioner...

And the boffins in Canberra wonder why there is pressure to privatise these projects.

I wonder how much the IT 'experts' were paid in overtime to get this allegedly critically-insecure website up and running?

A brilliant example of how not to assure Australians that the Government can keep our most sensitive private information secure.

Subscribe to IT Pro

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.